When will we learn?

So the IoD have called for more government action in the shadow of the TalkTalk hacks.

Let’s look at this quickly. IT security is a necessary evil nowadays, not matter how big or small you are you WILL be attacked. As an example while setting up an Asterisk system for our Canada office it was very briefly open to the world. It took less than 5 minutes for it to be attacked (unsuccessfully) however let’s put that into perspective…

There are at last guess, 3,706,452,992 public facing IP addresses out there. Yet in 5 minutes a number of people noted and attacked just one. If you take the assumption that seems to be the norm with many directors that there are a small group of hackers in their bedrooms then the odds of hitting our server are similar to hitting the lottery. This points to a more likely and well known scenario in the security community, that this is a major form of organised crime.

Now with such a vast address space it suddenly makes no sense from an economic point to concentrate all your resources on one single host. In fact it’s easier to scan and pick on the low hanging fruit. The misconfigured, poorly maintained badly written sites and those relying on security through obscurity. And here we come to the crux of it.

As a director you are responsible for your business. You make sure your premises are secure, you make sure all your staff are safe and you protect your business. And yet for many businesses, especially larger ones, IT is simply something you must have and the trick is to spend as little money on it as possible. Your IT provider is responsible for your security online and making sure your internet presence is as safe as your real work presence. When this department is typically starved of resources, contracted to the lowest bidder with no check of their credentials, or outsourced, things can and do go wrong.  You wouldn’t go to B&Q and put £5 locks on all your doors, but for most the ISP’s supplied free router, and a £5 a month hosting package are ‘good enough’.

And Talk Talk? It’s looking like it was an SQL Injection attack, the kind that every IT professional knows about, knows the risks and knows to NEVER allow out into the wild. If this was the cause of the leak TalkTalk should be sued into oblivion and its directors jailed. It’s inconceivable that a company so big dealing with so much data should fall prey to such a basic flaw.

So no, IoD, we don’t need more government help. We need you to give your members a BIG wake up call. IT has been starved and treated as something you have to have but spend as little as possible on for too long, so much that it’s become institutionalised. This needs to change, or more of your members will fall the same way. This is a problem your members have caused and they alone can fix.

If government help is needed its to make this behaviour on behalf of company directors a criminal offence with strong punishments to include custodial sentences and large fines. Stop starving IT of resources from being a viable cost cutting measure.

Realtek Support in ESXI 6

This is more a note for me. I’m always forgetting this. Most motherboards use a Realtek chip so the following will get it going in most cases. You are going to need to reboot so make sure all clients are stopped.

Grab https://vibsdepot.v-front.de/depot/bundles/net55-r8168-8.039.01-napi-offline_bundle.zip

Pop it in your datastore, in my case it goes (with other bits I need) in the first datastore, eg the default one called datastore1.

Enable SSH server in BOTH services and firewall, configureation -=> security profile. If you plan on using SSH after this make sure that you set SSH server to ‘Start with host’ else it’ll be gone when you reboot.

SSH into the server

esxcli software acceptance set –level=CommunitySupported

esxcli software vib install -d /vmfs/volumes/datastore1/scratch/net55-r8168-8.039.01-napi-offline_bundle.zip

reboot

Once the server reboots your NIC should show.

Mitel 5235, FreePBX and PFSense

These phones are popping up cheaply all over the show. For the money these go for you are getting a lot of phone, however thos buying them and expecting them to just work you will have issues.

This guide will get you up and running AND get the BLF working with the above systems. The information eaqually applies to any Asterisk and Any DHCPD.

To be fair the asterisk side of things is easy, make an account and if you want to use BLF make sure the hints you need are setup. This is covered in many articles. Make a SIP account for the phone and note the details down.

Now you’ll need a working TFTP server. This is usually your FreePBX box so we will work with that assumption. In the root you need the phones firmware (Google will find this easilly). And a number of other files which come with the firmware. You will also want to create a file called MN_Generic.cfg. This will contain all the default settings for all your phones, things that wont change from phone to phone. Feel free to use the one at the end of the article. There are a lot of examples kicking about.

Finally, the per phone data. You can do this two ways. Using a file called MN_<MAC>.cfg will tie the final configuration details to THAT phone. This means that when the phones get to their destination the right phone must go in the right place. If you are doing the final setup now this may be your best bet. Remeber that is a phone dies, you’ll need to rename this file.  The alternative is to use MN_<userid>.cfg. In this case the phone will boot and ask for a user ID. When the user enters their ID the matching .cfg is loaded and the phone reboots with these settings. This is handy if you arent doing the final config. You can ship all phones in the basic setup state and the end user puts the phones wherever and THEN sets the config up. You can also use this to allow users to move between phones. The manual for the phone shows how this works.

Either way you need to create one of the above files. You can add as much or as little as you want. Bare boes it should contain:

<Parameter Model=”5235″>
<user_list>
<User State=”1″ ID=”<ID>” DispName=”<USERNAME>” Pwd=”<PASS>” AuthName=”1008″ Realm=”” RegSvr=”<FREEPBXIP>” RegPort=”5060″ RegScheme=”2″ ProxySvr=”<FREEPBXIP>” ProxyPort=”5060″ ProxyScheme=”2″ VMSvr=”<FREEPBXIP>” VMPort=”5060″ VMScheme=”2″ OutSvr=”” OutPort=”5060″ OutCtr=”0″ Ring=”1″ Line=”0″ EventSvr=”” EventPort=”5060″ EventScheme=”2″ NatMode=”0″ NatType=”option” NatIp=”0″ BlfGroup=””></User>
</user_list>
</Parameter>

Set <ID>, <FREEPBXIP>, <USERNAME> and <PASS> accordingly. <USERNAME> Is displayed by the phone on the LCD  and not used elsewhere. Save this with one of the above.

Right, here we go, reboot or power on the phone.

Setting up the phone:
This is a bit different. You’ll need to use a POE injector and know the phone is in SIP mode. Once you have power disconnect the phone and press the * key and power up holding it down till the phone does something. If you see ‘Erasing PIN’ then the phone needs resetting to SIP. Pull the power out and press * and 7, keep them held down. When asked if you want to revert to sip mode press * for yes and reboot.

Once the phone reboots you’ll likeley see it rejecting DHCP offers, you thought this was simple. You have two choices here. Booting with * held now you can manually set the TFTP server under ‘Modify Static Parameters’. To do it via DHCP you need to add some custom options. In PFSense go to the GUI, go to Service-=> DHCP Server and scroll down to ‘Additional Boot/DHCP Options and click the button. Click the add button. Now we need to add a string, for number 128. The string needs to be of type Host or IP Address and point it to your TFTP server. The same needs to be done for 129, although we arent using it the phone will complain and sulk if it’s not given. The same goes for 130 which should be set to MITEL IP PHONE and is a text field.

Reboot the phone it’ll complain, reboot and then download SIP firmware. It may complain and reboot once or twice but it’ll get there. Once its booted it’ll walk you through some setup steps and log in.  If you are working per user at this point it’ll be asking for a user id. This is why you created the MN_xxxx.cfg file. Enter a user id that has a matching file, eg MN_1000.cfg would be 1000. Click the Submit button on the screen. If you went the MAC route it may reboot again and then you should be up and running.

The only real issues hit here with that is if the phone has not been factory reset it can behave a little oddly, normally things like the built in HTTP server fail. Booting the phone with * held down will get you to the boot menu and you can do a factory restore in there. All PINs/Passwords default to 5235 and the web login defaults to admin/5235. These can be overridden in the config file.

<Parameter Model=”5235″>
<dhcpenable>1</dhcpenable>
<tftp_config>1</tftp_config>
<pppoe_enable>0</pppoe_enable>
<tftp_task_enable>1</tftp_task_enable>
<boot_version>02.01.00.05</boot_version>
<image_version>R8.0.08.00.00.04</image_version>
<tftp_upgrade>0</tftp_upgrade>
<http_upgrade>0</http_upgrade>
<outbound_state>0</outbound_state>
<local_sip_port>5060</local_sip_port>
<tls_port>5061</tls_port>
<tos>0</tos>
<e802_priority>-1</e802_priority>
<vlan_id>-1</vlan_id>
<host_name>MN08000F1C071B</host_name>
<domain>-example.com</domain>
<addr_type>0</addr_type>
<hot_line>0</hot_line>
<hot_address>operator@example.com</hot_address>
<hot_addr_type>0</hot_addr_type>
<tls_private_url></tls_private_url>
<tls_certificate_url></tls_certificate_url>
<tls_ca_cert_url></tls_ca_cert_url>
<tls_root_cert_url></tls_root_cert_url>
<tls_certificate></tls_certificate>
<tls_ca_cert></tls_ca_cert>
<tls_root_cert></tls_root_cert>
<poundkeydial>1</poundkeydial>
<dialtonekey>12</dialtonekey>
<htmlpuseraccess>1</htmlpuseraccess>
<remote_reboot>1</remote_reboot>
<checkpeercert>0</checkpeercert>
<sipkeepalive>1</sipkeepalive>
<rss_feed>http://open.live.bbc.co.uk/weather/feeds/en/2637487/3dayforecast.rss</rss_feed>
<blf_pickup>*8</blf_pickup>
<host_ip>135.199.77.12</host_ip>
<video_ip>135.199.77.12</video_ip>
<sntp>pool.ntp.org</sntp>
<time_zone>0</time_zone>
<auth_method>2</auth_method>
<register_expire>7200</register_expire>
<session_timer>1800</session_timer>
<emerg_number></emerg_number>
<emerg_ip>0.0.0.0</emerg_ip>
<emerg_port>5060</emerg_port>
<audio_codec>5</audio_codec>
<audio_pkt_size>20</audio_pkt_size>
<video_codec>0</video_codec>
<dtmf_type>0</dtmf_type>
<dtmf_payload>101</dtmf_payload>
<advisorymsg>0</advisorymsg>
<reasons>0</reasons>
<other_reason></other_reason>
<do_not_disturb>0</do_not_disturb>
<noans_fwd_mode>0</noans_fwd_mode>
<try_ring_nums>10</try_ring_nums>
<noans_fwd_addr></noans_fwd_addr>
<beep_on_hold>1</beep_on_hold>
<on_hold_alert>60</on_hold_alert>
<system_mode>0</system_mode>
<pppoe_login></pppoe_login>
<pppoe_passwd>******</pppoe_passwd>
<callCountIn>0</callCountIn>
<callCountOut>1</callCountOut>
<discovery>0</discovery>
<pbIndex>0</pbIndex>
<adminId>admin</adminId>
<admin_dispname>Administrator</admin_dispname>
<admin_passwd>923e325e16617477e457f6a468a2d6df</admin_passwd>
<busy_fwd_mode>0</busy_fwd_mode>
<busy_fwd_addr></busy_fwd_addr>
<always_fwd_mode>0</always_fwd_mode>
<always_fwd_addr></always_fwd_addr>
<pcport>0</pcport>
<lanport>0</lanport>
<lcd>14</lcd>
<lcd_brightness>9</lcd_brightness>
<rdkw1></rdkw1>
<rdringtype1>0</rdringtype1>
<rdvmail1>0</rdvmail1>
<rdblock1>0</rdblock1>
<rdkw2></rdkw2>
<rdringtype2>0</rdringtype2>
<rdvmail2>0</rdvmail2>
<rdblock2>0</rdblock2>
<rdkw3></rdkw3>
<rdringtype3>0</rdringtype3>
<rdvmail3>0</rdvmail3>
<rdblock3>0</rdblock3>
<rdkw4></rdkw4>
<rdringtype4>0</rdringtype4>
<rdvmail4>0</rdvmail4>
<rdblock4>0</rdblock4>
<rdkw5></rdkw5>
<rdringtype5>0</rdringtype5>
<rdvmail5>0</rdvmail5>
<rdblock5>0</rdblock5>
<dtringtype1>0</dtringtype1>
<dtringtype2>0</dtringtype2>
<dtringtype3>0</dtringtype3>
<dtringtype4>0</dtringtype4>
<dtringtype5>0</dtringtype5>
<dtringtype6>0</dtringtype6>
<dtringtype7>0</dtringtype7>
<dtringtype8>0</dtringtype8>
<dtringtype9>0</dtringtype9>
<dtringtype10>0</dtringtype10>
<dtringtype11>0</dtringtype11>
<dtringtype12>0</dtringtype12>
<http_task_enable>1</http_task_enable>
<https_task_enable>1</https_task_enable>
<httpport>80</httpport>
<httpsport>443</httpsport>
<telnet_task_enable>1</telnet_task_enable>
<voicemail_ringnum>4</voicemail_ringnum>
<gruu_ctl>1</gruu_ctl>
<proxyrequire_ctl>0</proxyrequire_ctl>
<fwEnable>0</fwEnable>
<fwWanurl></fwWanurl>
<sym_udp>0</sym_udp>
<stunip></stunip>
<fwWanDurl></fwWanDurl>
<fwMode>0</fwMode>
<start_port>20000</start_port>
<end_port>20998</end_port>
<multi_user_enable>0</multi_user_enable>
<upgrade>0</upgrade>
<bksrvtm>3</bksrvtm>
<ntfcfg>0</ntfcfg>
<lancode>en_GB</lancode>
<tonecode>GB</tonecode>
<dsmode>1</dsmode>
<dsmonth>3</dsmonth>
<dsweek>2</dsweek>
<dsday>1</dsday>
<dsemonth>11</dsemonth>
<dseweek>1</dseweek>
<dseday>1</dseday>
<ds_transition_time>2</ds_transition_time>
<flashVer>201</flashVer>
<http_download>sipdnld.mitel.com</http_download>
<tftp>192.168.99.7</tftp>
<downloadtype>1</downloadtype>
<dialpl></dialpl>
<gtEnable>0</gtEnable>
<dtimer>3</dtimer>
<autoanswer>0</autoanswer>
<ringPitch>0</ringPitch>
<keysys_enable>0</keysys_enable>
<pbName1>My Number</pbName1>
<pbaddr1>*65</pbaddr1>
<snmp>0</snmp>
<srtp>0</srtp>
<pkDescription>
<Key Line=”25″ Fea=”6″ Des=”Line  1″ Addr=”” Addr2=”” Mode=”1″ Mode2=”1″ UserID=”1005″></Key>
<Key Line=”26″ Fea=”7″ Des=”Line 2″ Addr=”” Addr2=”” Mode=”1″ Mode2=”1″ UserID=”1005″></Key>
<Key Line=”27″ Fea=”2″ Des=”Call Logs” Addr=”” Addr2=”” Mode=”1″ Mode2=”1″ UserID=””></Key>
<Key Line=”28″ Fea=”3″ Des=”Advisory            ” Addr=”” Addr2=”” Mode=”1″ Mode2=”1″ UserID=””></Key>
<Key Line=”29″ Fea=”4″ Des=”Headset             ” Addr=”” Addr2=”” Mode=”1″ Mode2=”1″ UserID=””></Key>
<Key Line=”30″ Fea=”19″ Des=”Weather” Addr=”http://open.live.bbc.co.uk/weather/feeds/en/2637487/3dayforecast.rss” Addr2=”” Mode=”1″ Mode2=”1″ UserID=””></Key>
<Key Line=”31″ Fea=”19″ Des=”Currency” Addr=”http://www.xe.com/rss.xml” Addr2=”” Mode=”0″ Mode2=”1″ UserID=””></Key>
<Key Line=”32″ Fea=”19″ Des=”News” Addr=”http://feeds.bbci.co.uk/news/rss.xml?edition=uk” Addr2=”” Mode=”0″ Mode2=”1″ UserID=””></Key>
</pkDescription>
<webdialurl></webdialurl>
<cw_tone>1</cw_tone>
<missedcallsctl>1</missedcallsctl>
<callforwardctl>1</callforwardctl>
<lcdbacklightctl>1</lcdbacklightctl>
<time_format>1</time_format>
<csta_enable>0</csta_enable>
<csta_passwd>******</csta_passwd>
<cfg_poll_timer>1440</cfg_poll_timer>
<reboot_phone>1</reboot_phone>
<firmware_timer>1440</firmware_timer>
<firmware_abs_timer_hr>23</firmware_abs_timer_hr>
<firmware_abs_timer_min>59</firmware_abs_timer_min>
<firmware_abs_enable>1</firmware_abs_enable>
<installer_passcode>1234</installer_passcode>  <user_passwd>5d41402abc4b2a76b9719d911017c592</user_passwd>
<sip_mode>sip</sip_mode>
<voicemail_key></voicemail_key>
<html_enable>1</html_enable>
<html_filename></html_filename>
<facDef>90</facDef>
<ipadr></ipadr>
<ipgateway></ipgateway>
<ipmask></ipmask>
<dhcpLease>7200</dhcpLease>
<dhcpT1>0</dhcpT1>
<dhcpT2>0</dhcpT2>
<dhcpSrv></dhcpSrv>
<ipdns></ipdns>
<ipscddns>0.0.0.0</ipscddns>
<cfg_version>R8.0</cfg_version>
<answered_calls>******</answered_calls>
<missed_calls>******</missed_calls>
<made_calls>******</made_calls>
</Parameter>